Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2941268pxb; Mon, 18 Oct 2021 05:14:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxMb/OL7uh+lEopPCno/yNOOrDvCB9gzPuXowBFBmRE013CKXKSDq8DovyYRoOSFWLAwoz6 X-Received: by 2002:a63:4754:: with SMTP id w20mr23303873pgk.98.1634559292335; Mon, 18 Oct 2021 05:14:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634559292; cv=none; d=google.com; s=arc-20160816; b=t5OsSmJkk+eU/m6rdbmc33sdf47h9wehURf5b6QgLknBDaxKu8noK47EFJHsRlDo3J bX6PIJmkYyeJztE7z9w0AHXRxCYKfAUTfyqSBknE9HGeWf7wFCYWY52Hy7uWjShjqeeP 1O6f0f1Ylb3YBGITbVWIcMtBUKcjbx35qeLAbb7R2vf3l2BYaCQTDyrHaYV4Tps+ryir siEzfNeuDk2s//n6naGG+/GwcR2Y2g9tmUJ/deT0NRLS7TVN+ctuEvbUWLnZ84pdmEFI gmRo2aJ0+qsU9pw4vLPky2yx8P4ASOHlFwDrIkWFQAH1a2FS4lDLcnXxJDl7pJmDUAxI 9nvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dmarc-filter:sender :dkim-signature; bh=DFB9KnvnR5g4ew0MqGsNEn5846+3YZbOjK228obcRjo=; b=SlgPDtYyTFRKgBn5ncee4sf1Y03BQGftjakyCUyj8jwv0UHBWRCINcP7Y4Zu3KwXKR FIr7193zgJoxn1NBGL7ZJths8rqj1ddKrsoa/OduerZl0wOcyASdCmcQJs8e/vVsB36D kKgoSaxNRoxjXRcSPrZQfIABdIWWM3zUL1qGKd1u5vZck3POe9gS1kQS2dMpoQrkypdb yVV/0DInrqLUIhTiCmNAeDgsUFTjOPhCanyagUhL1CArjqFoDRZBlSSezlzz04LWMgrh xkOXH+UYWbx4scw0w/fSS2xo722DMVVQ3yxzNZNf5WgnZ6k993VrjxlNFMxjOQnyW2VJ wXsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=Wv6vtkz5; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c8si28439440pjq.55.2021.10.18.05.14.22; Mon, 18 Oct 2021 05:14:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=Wv6vtkz5; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230346AbhJRMOH (ORCPT + 64 others); Mon, 18 Oct 2021 08:14:07 -0400 Received: from m43-7.mailgun.net ([69.72.43.7]:12434 "EHLO m43-7.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229581AbhJRMOH (ORCPT ); Mon, 18 Oct 2021 08:14:07 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1634559116; h=Content-Type: MIME-Version: Message-ID: In-Reply-To: Date: References: Subject: Cc: To: From: Sender; bh=DFB9KnvnR5g4ew0MqGsNEn5846+3YZbOjK228obcRjo=; b=Wv6vtkz5lhc+6/Fsg4ijibjfOjUPF5L6eoZynUDt8Yn1Och09zjjCbLdapdntPUPLwmfZjqN llGXe6KtcZ4pcWvIenBcXzg35MwXaqiPyYMfnI87bZdDIvAMP46rhQ0QKyNv0hQjy7fwhE7t SLBJv8S+mOyM/stS0GgI8slZvGw= X-Mailgun-Sending-Ip: 69.72.43.7 X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n04.prod.us-west-2.postgun.com with SMTP id 616d648a03355859c8b7d231 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Mon, 18 Oct 2021 12:11:54 GMT Sender: kvalo=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id DB4DDC4360D; Mon, 18 Oct 2021 12:11:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0 Received: from tykki (tynnyri.adurom.net [51.15.11.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: kvalo) by smtp.codeaurora.org (Postfix) with ESMTPSA id D7B92C4338F; Mon, 18 Oct 2021 12:11:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org D7B92C4338F Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=codeaurora.org From: Kalle Valo To: Pkshih Cc: Colin King , "David S . Miller" , Jakub Kicinski , "linux-wireless\@vger.kernel.org" , "netdev\@vger.kernel.org" , "kernel-janitors\@vger.kernel.org" , "linux-kernel\@vger.kernel.org" Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta References: <20211015154530.34356-1-colin.king@canonical.com> <9cc681c217a449519aee524b35e6b6bc@realtek.com> Date: Mon, 18 Oct 2021 15:11:45 +0300 In-Reply-To: <9cc681c217a449519aee524b35e6b6bc@realtek.com> (Pkshih's message of "Mon, 18 Oct 2021 03:35:28 +0000") Message-ID: <87pms2ttvi.fsf@codeaurora.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Pkshih writes: >> -----Original Message----- >> From: Colin King >> Sent: Friday, October 15, 2021 11:46 PM >> To: Kalle Valo ; David S . Miller ; Jakub Kicinski >> ; Pkshih ; linux-wireless@vger.kernel.org; >> netdev@vger.kernel.org >> Cc: kernel-janitors@vger.kernel.org; linux-kernel@vger.kernel.org >> Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta >> >> From: Colin Ian King >> >> The pointer rtwsta is dereferencing pointer sta before sta is >> being null checked, so there is a potential null pointer deference >> issue that may occur. Fix this by only assigning rtwsta after sta >> has been null checked. Add in a null pointer check on rtwsta before >> dereferencing it too. >> >> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") >> Addresses-Coverity: ("Dereference before null check") >> Signed-off-by: Colin Ian King >> --- >> drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++-- >> 1 file changed, 7 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/wireless/realtek/rtw89/core.c >> b/drivers/net/wireless/realtek/rtw89/core.c >> index 06fb6e5b1b37..26f52a25f545 100644 >> --- a/drivers/net/wireless/realtek/rtw89/core.c >> +++ b/drivers/net/wireless/realtek/rtw89/core.c >> @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev, >> { >> struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv; >> struct ieee80211_sta *sta = txq->sta; >> - struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv; > > 'sta->drv_priv' is only a pointer, we don't really dereference the > data right here, so I think this is safe. More, compiler can optimize > this instruction that reorder it to the place just right before using. > So, it seems like a false alarm. > >> + struct rtw89_sta *rtwsta; >> >> - if (!sta || rtwsta->max_agg_wait <= 0) >> + if (!sta) >> + return false; >> + rtwsta = (struct rtw89_sta *)sta->drv_priv; >> + if (!rtwsta) >> + return false; >> + if (rtwsta->max_agg_wait <= 0) >> return false; >> >> if (rtwdev->stats.tx_tfc_lv <= RTW89_TFC_MID) > > I check the size of object files before/after this patch, and > the original one is smaller. > > text data bss dec hex filename > 16781 3392 1 20174 4ece core-0.o // original > 16819 3392 1 20212 4ef4 core-1.o // after this patch > > Do you think it is worth to apply this patch? I think that we should apply the patch. Even though the compiler _may_ reorder the code, it might choose not to do that. Another question is that can txq->sta really be null? I didn't check the code, but if it should be always set when the null check is not needed. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches